diff --git a/viola/boot/kernel.nix b/viola/boot/kernel.nix index 275cc4c..ed7b745 100644 --- a/viola/boot/kernel.nix +++ b/viola/boot/kernel.nix @@ -9,9 +9,14 @@ "vm.dirty_writeback_centisecs" = 100; "vm.vfs_cache_pressure" = 50; "vm.max_map_count" = 1048576; + + "net.ipv6.conf.all.disable_ipv6" = 1; + "net.ipv6.conf.default.disable_ipv6" = 1; + "net.ipv6.conf.lo.disable_ipv6" = 1; }; }; + # kernelPackages = self.inputs.nix-cachyos-kernel.legacyPackages.x86_64-linux.linuxPackages-cachyos-server-lto; extraModulePackages = with config.boot.kernelPackages; [ rtl8821ce yt6801 @@ -34,6 +39,8 @@ "kernel.watchdog=0" "oops=panic" + + "ipv6.disable=1" ]; blacklistedKernelModules = [ @@ -71,6 +78,6 @@ btrfs = true; }; - consoleLogLevel = 0; + consoleLogLevel = 7; }; } diff --git a/viola/default.nix b/viola/default.nix index 535051b..d5d0a08 100644 --- a/viola/default.nix +++ b/viola/default.nix @@ -23,7 +23,6 @@ "${self}/viola/i18n/locales.nix" - "${self}/viola/networking/dhcp.nix" "${self}/viola/networking/firewall.nix" "${self}/viola/networking/hostname.nix" "${self}/viola/networking/networkmanager.nix" @@ -64,16 +63,26 @@ "${self}/viola/services/forgejo.nix" "${self}/viola/services/postgresql.nix" "${self}/viola/services/vaultwarden.nix" - "${self}/viola/services/privatebin.nix" "${self}/viola/services/woodpecker.nix" "${self}/viola/services/stalwart.nix" "${self}/viola/services/homepage.nix" "${self}/viola/services/redis.nix" "${self}/viola/services/zitadel.nix" "${self}/viola/services/garage.nix" + "${self}/viola/services/traefik.nix" + "${self}/viola/services/resolved.nix" + "${self}/viola/services/alloy.nix" + "${self}/viola/services/grafana.nix" + "${self}/viola/services/loki.nix" + "${self}/viola/services/tempo.nix" + "${self}/viola/services/mimir.nix" + "${self}/viola/services/sws.nix" + "${self}/viola/services/alertmanager.nix" + "${self}/viola/sops/age.nix" "${self}/viola/sops/defaults.nix" "${self}/viola/sops/secrets.nix" + "${self}/viola/sops/templates.nix" "${self}/hand7s/stylix/base16Scheme.nix" "${self}/hand7s/stylix/cursor.nix" @@ -85,6 +94,7 @@ "${self}/viola/system/stateVersion.nix" "${self}/viola/systemd/oomd.nix" + "${self}/viola/systemd/tmpfiles/rules.nix" "${self}/viola/systemd/slices/system-slice.nix" "${self}/viola/systemd/slices/user-slice.nix" "${self}/viola/systemd/slices/root-slice.nix" diff --git a/viola/disko/disk.nix b/viola/disko/disk.nix index 2eb4b2e..78cb8cc 100644 --- a/viola/disko/disk.nix +++ b/viola/disko/disk.nix @@ -2,7 +2,7 @@ disko = { devices = { disk = { - main = { + "main" = { device = "/dev/disk/by-id/ata-EAGET_SSD_256GB_EAGET20250505V00003"; type = "disk"; content = { diff --git a/viola/environment/variables.nix b/viola/environment/variables.nix index 2cd14c2..9fd91b8 100644 --- a/viola/environment/variables.nix +++ b/viola/environment/variables.nix @@ -1,7 +1,6 @@ {config, ...}: { environment = { variables = { - AMD_VULKAN_ICD = "RADV"; HOSTNAME = config.networking.hostName; QT_QPA_PLATFORM = "wayland"; SDL_VIDEODRIVER = "wayland"; diff --git a/viola/home-manager/users.nix b/viola/home-manager/users.nix index 9d92dc6..57bf966 100644 --- a/viola/home-manager/users.nix +++ b/viola/home-manager/users.nix @@ -4,12 +4,10 @@ "hand7s" = { imports = [ "${self}/hand7s/" - self.inputs.agenix.homeManagerModules.default self.inputs.spicetify-nix.homeManagerModules.default self.inputs.hyprland.homeManagerModules.default self.inputs.chaotic.homeManagerModules.default self.inputs.sops-nix.homeManagerModules.sops - self.inputs.nix-index-database.homeModules.nix-index ]; }; diff --git a/viola/networking/dhcp.nix b/viola/networking/dhcp.nix deleted file mode 100644 index 0740ea3..0000000 --- a/viola/networking/dhcp.nix +++ /dev/null @@ -1,10 +0,0 @@ -{lib, ...}: { - networking = { - useDHCP = lib.mkDefault true; - dhcpcd = { - enable = true; - persistent = false; - wait = "any"; - }; - }; -} diff --git a/viola/networking/firewall.nix b/viola/networking/firewall.nix deleted file mode 100644 index 04c13fd..0000000 --- a/viola/networking/firewall.nix +++ /dev/null @@ -1,56 +0,0 @@ -_: { - networking = { - firewall = { - allowPing = true; - enable = true; - checkReversePath = false; - allowedUDPPorts = [ - 80 - 8080 - 8443 - 8980 - 53350 - 53351 - 53353 - - # mc - 25565 - - # mail - 24 - 25 - 110 - 143 - 465 - 587 - 993 - 995 - 4190 - ]; - - allowedTCPPorts = [ - 80 - 8080 - 8443 - 8980 - 53350 - 53351 - 53353 - - # mc - 25565 - - # mail - 24 - 25 - 110 - 143 - 465 - 587 - 993 - 995 - 4190 - ]; - }; - }; -} diff --git a/viola/networking/hosts.nix b/viola/networking/hosts.nix deleted file mode 100644 index e42e2b1..0000000 --- a/viola/networking/hosts.nix +++ /dev/null @@ -1,7 +0,0 @@ -_: { - networking = { - hosts = { - # nope - }; - }; -} diff --git a/viola/networking/interfaces.nix b/viola/networking/interfaces.nix deleted file mode 100644 index 03a3a3e..0000000 --- a/viola/networking/interfaces.nix +++ /dev/null @@ -1,31 +0,0 @@ -_: { - networking = { - firewall = { - interfaces = { - wt0 = { - allowedUDPPorts = [ - 25 - 6969 - 8080 - 8443 - 8980 - 53350 - 53351 - 53352 - ]; - - allowedTCPPorts = [ - 25 - 6969 - 8080 - 8443 - 8980 - 53350 - 53351 - 53352 - ]; - }; - }; - }; - }; -} diff --git a/viola/services/alertmanager.nix b/viola/services/alertmanager.nix new file mode 100644 index 0000000..4026d99 --- /dev/null +++ b/viola/services/alertmanager.nix @@ -0,0 +1,27 @@ +_: { + services = { + prometheus = { + alertmanager = { + enable = true; + configuration = { + route = { + receiver = "null"; + group_by = [ + "alertname" + "job" + ]; + + group_wait = "30s"; + group_interval = "5m"; + repeat_interval = "12h"; + }; + receivers = [ + { + name = "null"; + } + ]; + }; + }; + }; + }; +} diff --git a/viola/services/alloy.nix b/viola/services/alloy.nix new file mode 100644 index 0000000..f6b5c4d --- /dev/null +++ b/viola/services/alloy.nix @@ -0,0 +1,93 @@ +{pkgs, ...}: { + services = { + alloy = { + enable = true; + configPath = pkgs.writeText "alloy-config.alloy" '' + loki.source.journal "system" { + forward_to = [loki.process.production.receiver] + relabel_rules = loki.relabel.journal.rules + labels = { + host = "viola", + job = "systemd", + } + } + + loki.relabel "journal" { + forward_to = [] + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "unit" + } + } + + loki.write "local" { + endpoint { + url = "http://127.0.0.1:3100/loki/api/v1/push" + } + } + + loki.process "production" { + forward_to = [loki.write.local.receiver] + + stage.match { + selector = `{service_name=~"(alloy|forgejo|grafana|loki|microbin|mimir|stalwart|postgresql|redis|stalwart|static-web-server|tempo|traefik|vaultwarden|woodpecker|zitadel)\\.service"}` + action = "keep" + } + } + + prometheus.exporter.unix "node" { + enable_collectors = [ + "cpu", "diskstats", "filesystem", + "loadavg", "meminfo", "netdev", + "systemd", "time", "uname", + ] + } + + prometheus.scrape "node" { + targets = prometheus.exporter.unix.node.targets + forward_to = [prometheus.remote_write.mimir.receiver] + scrape_interval = "30s" + job_name = "node" + } + + prometheus.scrape "alloy" { + targets = [{"__address__" = "127.0.0.1:12345"}] + + forward_to = [prometheus.remote_write.mimir.receiver] + job_name = "alloy" + } + + prometheus.remote_write "mimir" { + endpoint { + url = "http://127.0.0.1:9009/api/v1/push" + } + } + + otelcol.receiver.otlp "default" { + grpc { + endpoint = "0.0.0.0:4317" + } + + http { + endpoint = "0.0.0.0:4318" + } + + output { + traces = [otelcol.exporter.otlp.tempo.input] + logs = [otelcol.exporter.loki.local.input] + } + } + + otelcol.exporter.otlp "tempo" { + client { + endpoint = "http://127.0.0.1:4317" + } + } + + otelcol.exporter.loki "local" { + forward_to = [loki.write.local.receiver] + } + ''; + }; + }; +} diff --git a/viola/services/firewalld.nix b/viola/services/firewalld.nix new file mode 100644 index 0000000..e8eb510 --- /dev/null +++ b/viola/services/firewalld.nix @@ -0,0 +1,19 @@ +_: { + services = { + firewalld = { + enable = false; + + zones = { + "eno1" = { + interfaces = [ + "ens1" + ]; + + services = [ + "sunshine" + ]; + }; + }; + }; + }; +} diff --git a/viola/services/forgejo.nix b/viola/services/forgejo.nix index 2f5683f..075d0d3 100644 --- a/viola/services/forgejo.nix +++ b/viola/services/forgejo.nix @@ -5,7 +5,7 @@ _: { database = { type = "postgres"; - port = "${dbport}"; + host = "localhost"; }; settings = { @@ -19,9 +19,9 @@ _: { repository = { DEFAULT_PRIVATE = "last"; PREFERRED_LICENSES = "MIT"; - DISABLE_HTTP_GIT = true; + DISABLE_HTTP_GIT = false; USE_COMPAT_SSH_URI = true; - GO_GET_CLONE_URL_PROTOCOL = "ssh"; + GO_GET_CLONE_URL_PROTOCOL = "http"; DEFAULT_BRANCH = "master"; }; @@ -47,6 +47,11 @@ _: { MERGES = "always"; }; + opentelemetry = { + EXPORTER = "otlp"; + ENDPOINT = "http://127.0.0.1:4318"; + }; + badges = { ENABLED = false; }; @@ -90,6 +95,13 @@ _: { service = { DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + + oauth2_client = { + ENABLE_AUTO_REGISTER = true; + ACCOUNT_LINKING = "auto"; + USERNAME = "preferred_username"; }; "service.explore" = { diff --git a/viola/services/garage.nix b/viola/services/garage.nix index 607f265..aae0fd5 100644 --- a/viola/services/garage.nix +++ b/viola/services/garage.nix @@ -5,7 +5,28 @@ package = pkgs.garage; logLevel = "error"; settings = { - # nope + replication_factor = 1; + consistency_mode = "consistent"; + use_local_tz = true; + + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "127.0.0.1:3901"; + + "s3_api" = { + s3_region = "garage"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.garage.localhost"; + }; + + "s3_web" = { + bind_addr = "[::]:3902"; + root_domain = ".web.garage.localhost"; + index = "index.html"; + }; + + "k2v_api" = { + api_bind_addr = "[::]:3904"; + }; }; }; }; diff --git a/viola/services/grafana.nix b/viola/services/grafana.nix new file mode 100644 index 0000000..3b7d8c7 --- /dev/null +++ b/viola/services/grafana.nix @@ -0,0 +1,137 @@ +{ + config, + lib, + pkgs, + ... +}: { + services = { + grafana = { + enable = true; + declarativePlugins = with pkgs.grafanaPlugins; [ + grafana-lokiexplore-app + grafana-exploretraces-app + grafana-metricsdrilldown-app + grafana-pyroscope-app + + redis-datasource + redis-explorer-app + + volkovlabs-rss-datasource + ]; + + settings = { + log = { + level = "info"; + mode = "console"; + }; + + security = { + secret_key = config.sops.secrets."grafanaKey".path; + }; + + server = { + http_addr = "0.0.0.0"; + http_port = 3030; + domain = "grafana.hand7s.org"; + root_url = "https://grafana.hand7s.org"; + }; + + "auth.generic_oauth" = { + enabled = true; + name = "Zitadel"; + icon = "signin"; + scopes = "openid profile email offline_access urn:zitadel:iam:org:project:id:zitadel:aud"; + client_id = ""; + client_secret = ""; + auth_url = "https://zitadel.hand7s.org/oauth/v2/authorize"; + token_url = "http://zitadel.hand7s.org:8443/oauth/v2/token"; + api_url = "http://zitadel.hand7s.org:8443/oidc/v1/userinfo"; + tls_skip_verify_insecure = true; + allow_assign_grafana_admin = true; + role_attribute_strict = true; + skip_org_role_sync = false; + use_pkce = true; + + role_attribute_path = ''"urn:zitadel:iam:org:project:roles"."grafana-admin" && 'GrafanaAdmin' || 'Viewer' ''; + }; + + "auth" = { + disable_login_form = true; + signout_redirect_url = "https://zitadel.hand7s.org/oidc/v1/end_session"; + }; + }; + + provision = { + enable = true; + + datasources = { + settings = { + datasources = + [ + { + name = "Loki-LGTM"; + type = "loki"; + url = "http://127.0.0.1:3100"; + isDefault = false; + jsonData = { + derivedFields = [ + { + name = "traceID"; + matcherRegex = "traceID=(\\w+)"; + url = "http://127.0.0.1:3200"; + datasourceUid = "tempo"; + } + ]; + }; + } + + { + name = "Mimir-LGTM"; + type = "prometheus"; + url = "http://127.0.0.1:9009/prometheus"; + isDefault = true; + } + + { + name = "Tempo-LGTM"; + type = "tempo"; + uid = "tempo"; + url = "http://127.0.0.1:3200"; + jsonData = { + lokiSearch = { + datasourceUid = "loki"; + }; + + serviceMap = { + datasourceUid = "mimir"; + }; + + nodeGraph = { + enabled = true; + }; + }; + } + ] + ++ lib.forEach [ + "forgejo" + "loki" + "mimir" + "stalwart" + "traefik" + "zitadel" + ] ( + name: { + name = "Redis-${name}"; + type = "redis-datasource"; + url = "unix:/run/redis-${name}/redis.sock"; + secureJsonData = { + password = name; + }; + } + ); + }; + }; + }; + }; + }; +} diff --git a/viola/services/homepage.nix b/viola/services/homepage.nix index 2a2a8f3..322c070 100644 --- a/viola/services/homepage.nix +++ b/viola/services/homepage.nix @@ -2,6 +2,7 @@ _: { services = { homepage-dashboard = { enable = true; + allowedHosts = "localhost:8080,127.0.0.1:8080,192.168.1.144:8080,100.109.71.194:8080,home.hand7s.org"; listenPort = 8080; settings = { @@ -11,50 +12,83 @@ _: { background = "https://w.wallhaven.cc/full/1q/wallhaven-1q87xv.png"; color = "violet"; headerStyle = "boxed"; - - layout = [ - { - Dev = { - iconsOnly = true; - }; - } - ]; }; bookmarks = [ - { - Dev = [ - { - GitHub = [ - { - abbr = "GH"; - href = "https://github.com/"; - } - ]; - } - - { - Forgejo = [ - { - abbr = "Forge"; - href = "https://git.hand7s.org/"; - } - ]; - } - - { - PivateBin = [ - { - abbr = "PB"; - href = "https://bin.hand7s.org/"; - } - ]; - } - ]; - } ]; services = [ + { + "Local-only" = [ + { + "Vaultwarden" = { + icon = "vaultwarden"; + href = "https://pass.hand7s.org"; + description = "vaultwarden"; + }; + } + + { + "Syncthing" = { + icon = "syncthing"; + href = "https://sync.hand7s.org"; + description = "syncing"; + }; + } + + { + "OpenWRT" = { + icon = "openwrt"; + href = "https://luci.hand7s.org"; + description = "router"; + }; + } + ]; + } + + { + "Local-host" = [ + { + "Grafana" = { + icon = "grafana"; + href = "https://grafana.hand7s.org"; + description = "observability"; + }; + } + + { + "Forgejo" = { + icon = "gitea"; + href = "https://git.hand7s.org"; + description = "git"; + }; + } + + { + "Woodpecker" = { + icon = "woodpecker-ci"; + href = "https://woodpecker.hand7s.org/"; + description = "cicd"; + }; + } + + { + "Stalwart" = { + icon = "stalwart"; + href = "https://mail.hand7s.org"; + description = "mail"; + }; + } + + { + "Zitadel" = { + icon = "zitadel"; + href = "https://zitadel.hand7s.org"; + description = "idp"; + }; + } + ]; + } ]; widgets = [ @@ -73,6 +107,14 @@ _: { }; } + { + search = { + provider = "perplexity"; + target = "_blank"; + focus = false; + }; + } + { resources = { cpu = true; diff --git a/viola/services/loki.nix b/viola/services/loki.nix new file mode 100644 index 0000000..5b2a6fb --- /dev/null +++ b/viola/services/loki.nix @@ -0,0 +1,127 @@ +{ + pkgs, + lib, + ... +}: { + services = { + loki = { + enable = true; + + configuration = { + auth_enabled = false; + server = { + http_listen_port = 3100; + grpc_listen_port = 9097; + }; + + common = { + replication_factor = 1; + path_prefix = "/var/lib/loki"; + ring = { + instance_addr = "127.0.0.1"; + kvstore = { + store = "inmemory"; + }; + }; + }; + + schema_config = { + configs = [ + { + from = "2025-01-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + + storage_config = { + filesystem = { + directory = "/var/lib/loki/chunks"; + }; + }; + + chunk_store_config = { + chunk_cache_config = { + redis = { + endpoint = "127.0.0.1:6385"; + password = "loki"; + db = 0; + timeout = "500ms"; + expiration = "24h"; + }; + }; + }; + + compactor = { + working_directory = "/var/lib/loki/compactor"; + retention_enabled = true; + delete_request_store = "filesystem"; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + retention_period = "720h"; + }; + + query_range = { + cache_results = true; + results_cache = { + cache = { + redis = { + endpoint = "127.0.0.1:6385"; + password = "loki"; + db = 0; + timeout = "500ms"; + expiration = "1h"; + }; + }; + }; + }; + + ruler = { + enable_api = true; + alertmanager_url = "http://127.0.0.1:9093"; + storage = { + type = "local"; + local = { + directory = "${pkgs.writeTextDir "fake/homelab.yaml" (lib.generators.toYAML {} { + groups = [ + { + name = "homelab"; + interval = "1m"; + rules = [ + { + alert = "HostDown"; + expr = ''absent_over_time({host="viola"}[10m])''; + for = "10m"; + labels = {severity = "critical";}; + annotations = { + summary = "Host viola not sending logs"; + }; + } + { + alert = "OOMKiller"; + expr = ''count_over_time({host="viola"} |= "Out of memory: Killed process" [5m]) > 0''; + labels = {severity = "warning";}; + annotations = { + summary = "OOM killer fired on viola"; + }; + } + ]; + } + ]; + })}"; + }; + }; + }; + }; + }; + }; +} diff --git a/viola/services/microbin.nix b/viola/services/microbin.nix new file mode 100644 index 0000000..a79a074 --- /dev/null +++ b/viola/services/microbin.nix @@ -0,0 +1,18 @@ +{config, ...}: { + services = { + microbin = { + enable = true; + passwordFile = toString config.sops.secrets.microbinPass; + settings = { + MICROBIN_PORT = 8080; + MICROBIN_BIND = "[::]"; + MICROBIN_PUBLIC_PATH = "bin.hand7s.org"; + MICROBIN_READONLY = true; + MICROBIN_ENABLE_BURN_AFTER = true; + MICROBIN_DEFAULT_BURN_AFTER = 100; + MICROBIN_DEFAULT_EXPIRY = "1week"; + MICROBIN_QR = true; + }; + }; + }; +} diff --git a/viola/services/mimir.nix b/viola/services/mimir.nix new file mode 100644 index 0000000..0e93a63 --- /dev/null +++ b/viola/services/mimir.nix @@ -0,0 +1,124 @@ +{ + lib, + pkgs, + ... +}: { + services = { + mimir = { + enable = true; + + configuration = { + multitenancy_enabled = false; + + target = "all"; + server = { + http_listen_port = 9009; + }; + + common = { + storage = { + backend = "filesystem"; + filesystem = { + dir = "/var/lib/mimir"; + }; + }; + }; + + blocks_storage = { + backend = "filesystem"; + filesystem = { + dir = "/var/lib/mimir/blocks"; + }; + + tsdb = { + dir = "/var/lib/mimir/tsdb"; + }; + }; + + compactor = { + data_dir = "/var/lib/mimir/compactor"; + }; + + ingester = { + ring = { + instance_addr = "127.0.0.1"; + replication_factor = 1; + kvstore = { + store = "memberlist"; + }; + }; + }; + + store_gateway = { + sharding_ring = { + replication_factor = 1; + }; + }; + + ruler = { + alertmanager_url = "http://127.0.0.1:9093"; + }; + + ruler_storage = { + backend = "local"; + local = { + directory = "${pkgs.writeTextDir "anonymous/homelab.yml" (lib.generators.toYAML {} { + groups = [ + { + name = "homelab"; + interval = "1m"; + rules = [ + { + alert = "HighDiskUsage"; + expr = '' + (1 - node_btrfs_device_unused_bytes / node_btrfs_device_size_bytes) * 100 > 85 + ''; + for = "5m"; + labels = {severity = "warning";}; + annotations = { + summary = "High disk usage on {{ $labels.instance }}"; + }; + } + { + alert = "HighMemoryUsage"; + expr = '' + (1 - node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes) * 100 > 90 + ''; + for = "5m"; + labels = {severity = "warning";}; + annotations = { + summary = "High memory usage on {{ $labels.instance }}"; + }; + } + { + alert = "HighCpuUsage"; + expr = '' + 100 - (avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80 + ''; + for = "5m"; + labels = {severity = "warning";}; + annotations = { + summary = "High CPU usage on {{ $labels.instance }}"; + }; + } + { + alert = "ServiceDown"; + expr = '' + node_systemd_unit_state{state="active"} == 0 + ''; + for = "2m"; + labels = {severity = "critical";}; + annotations = { + summary = "Service {{ $labels.name }} is down on {{ $labels.instance }}"; + }; + } + ]; + } + ]; + })}"; + }; + }; + }; + }; + }; +} diff --git a/viola/services/openssh.nix b/viola/services/openssh.nix index 0abb7bf..e136f96 100644 --- a/viola/services/openssh.nix +++ b/viola/services/openssh.nix @@ -5,7 +5,7 @@ allowSFTP = true; openFirewall = true; ports = [ - 47345 + 6969 ]; settings = { diff --git a/viola/services/postgresql.nix b/viola/services/postgresql.nix index 3b3ad12..c9e502b 100644 --- a/viola/services/postgresql.nix +++ b/viola/services/postgresql.nix @@ -44,12 +44,8 @@ _: { "zitadel" ]; - initialScript = ""; # nope - - authentication = ""; #nope - settings = { - port = "${dbport}"; + port = "????"; }; }; }; diff --git a/viola/services/privatebin.nix b/viola/services/privatebin.nix deleted file mode 100644 index 24ee0f7..0000000 --- a/viola/services/privatebin.nix +++ /dev/null @@ -1,43 +0,0 @@ -_: { - services = { - privatebin = { - enable = true; - enableNginx = true; - virtualHost = "bin.hand7s.org"; - settings = { - main = { - name = "hand7s bin"; - discussion = false; - qrcode = false; - compression = "none"; - defaultformatter = "plaintext"; - fileupload = false; - languageselection = false; - password = true; - sizelimit = 10 * 1000 * 1000; - template = "bootstrap5"; - }; - - expire = { - default = "1week"; - clone = false; - }; - - formatter_options = { - markdown = "Markdown"; - plaintext = "Plain Text"; - syntaxhighlighting = "Source Code"; - }; - - traffic = { - limit = 5; - }; - - purge = { - limit = 0; - batchsize = 10; - }; - }; - }; - }; -} diff --git a/viola/services/redis.nix b/viola/services/redis.nix index 75fdfed..c0ce477 100644 --- a/viola/services/redis.nix +++ b/viola/services/redis.nix @@ -5,47 +5,11 @@ servers = { "forgejo" = { enable = true; - port = "${cacheport1}"; + port = 6381; logLevel = "warning"; databases = 16; maxclients = 10000; - requirePass = "${cachepass1}"; - - settings = { - stop-writes-on-bgsave-error = "yes"; - rdbcompression = "yes"; - rdbchecksum = "yes"; - - maxmemory = "1GB"; - maxmemory-policy = "volatile-lru"; - maxmemory-samples = 3; - }; - - save = [ - [ - 900 - 1 - ] - - [ - 300 - 10 - ] - - [ - 60 - 1000 - ] - ]; - }; - - "woodpecker" = { - enable = false; - port = "${cacheport2}"; - logLevel = "warning"; - databases = 16; - maxclients = 10000; - requirePass = "${cachepass2}"; + requirePass = "forgejo"; settings = { stop-writes-on-bgsave-error = "yes"; @@ -77,11 +41,11 @@ "stalwart" = { enable = true; - port = "${cacheport3}"; + port = 6382; logLevel = "warning"; databases = 16; maxclients = 10000; - requirePass = "${cachepass3}"; + requirePass = lib.hashString "md5" "stalwart"; settings = { stop-writes-on-bgsave-error = "yes"; @@ -113,11 +77,11 @@ "zitadel" = { enable = true; - port = "${cacheport4}"; + port = 6383; logLevel = "warning"; databases = 16; maxclients = 10000; - requirePass = "${cachepass4}"; + requirePass = lib.hashString "md5" "zitadel"; settings = { stop-writes-on-bgsave-error = "yes"; @@ -146,6 +110,114 @@ ] ]; }; + + "traefik" = { + enable = true; + port = 6384; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = lib.hashString "md5" "traefik"; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "volatile-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; + + "loki" = { + enable = true; + port = 6385; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = lib.hashString "md5" "loki"; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "allkeys-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; + + "mimir" = { + enable = true; + port = 6386; + logLevel = "warning"; + databases = 16; + maxclients = 10000; + requirePass = lib.hashString "md5" "mimir"; + + settings = { + stop-writes-on-bgsave-error = "yes"; + rdbcompression = "yes"; + rdbchecksum = "yes"; + + maxmemory = "1GB"; + maxmemory-policy = "allkeys-lru"; + maxmemory-samples = 3; + }; + + save = [ + [ + 900 + 1 + ] + + [ + 300 + 10 + ] + + [ + 60 + 1000 + ] + ]; + }; }; }; }; diff --git a/viola/services/resolved.nix b/viola/services/resolved.nix new file mode 100644 index 0000000..8c268e8 --- /dev/null +++ b/viola/services/resolved.nix @@ -0,0 +1,39 @@ +_: { + services = { + resolved = { + enable = true; + dnsovertls = "true"; + dnssec = "true"; + llmnr = "true"; + domains = [ + "~." + ]; + + fallbackDns = [ + # cf dns + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + + # google dns + "8.8.8.8" + "8.8.4.4" + "2001:4860:4860::8888" + "2001:4860:4860::8844" + + # q9 dns + "9.9.9.9" + "149.112.112.112" + "2620:fe::fe" + "2620:fe::9" + + # open dns + "208.67.222.222" + "208.67.220.220" + "2620:119:35::35" + "2620:119:53::53" + ]; + }; + }; +} diff --git a/viola/services/stalwart.nix b/viola/services/stalwart.nix index 9523498..4ef544f 100644 --- a/viola/services/stalwart.nix +++ b/viola/services/stalwart.nix @@ -1,87 +1,118 @@ -_: { +{config, ...}: { services = { - stalwart-mail = { + stalwart = { enable = true; settings = { - acme = { - "cloudflare" = { - default = true; - challenge = "dns-01"; - provider = "cloudflare"; - origin = "hand7s.org"; - secret = "${mail_secret}"; - contact = [ - "me@hand7s.org" - ]; - - email = "me@hand7s.org"; - directory = "https://acme-staging-v02.api.letsencrypt.org/directory"; - domains = [ - "mail.hand7s.org" - ]; - }; - }; - server = { - hostname = "mail.hand7s.org"; + allowed-ip = [ + "127.0.0.1" + "100.109.201.146" + "192.168.1.0/24" + ]; + + auto-ban = { + enable = false; + unban-after = "1h"; + }; proxy = { trusted-networks = [ + "127.0.0.0/8" "::1" - "100.109.213.170/16" + "100.109.201.146" ]; }; + hostname = "mail.hand7s.org"; + + proxy-networks = [ + "127.0.0.1/32" + "100.109.201.146" + ]; + listener = { "lmtp" = { - bind = "[::]:24"; + bind = "0.0.0.0:24"; protocol = "lmtp"; }; "smtp" = { - bind = "[::]:25"; + bind = "0.0.0.0:25"; protocol = "smtp"; + proxy-protocol = true; }; "pop3" = { - bind = "[::]:110"; + bind = "0.0.0.0:110"; protocol = "pop3"; + proxy-protocol = true; }; "imap" = { - bind = "[::]:143"; + bind = "0.0.0.0:143"; protocol = "imap"; + proxy-protocol = true; + tls = { + enable = true; + implicit = false; + certificate = "default"; + }; }; "submissions" = { - bind = "[::]:465"; + bind = "0.0.0.0:465"; protocol = "smtp"; + proxy-protocol = true; + tls = { + certificate = "default"; + implicit = true; + enable = true; + }; }; "submission" = { - bind = "[::]:587"; + bind = "0.0.0.0:587"; protocol = "smtp"; + proxy-protocol = true; + tls = { + enable = true; + implicit = false; + certificate = "default"; + }; }; "imaptls" = { - bind = "[::]:993"; - protocol = "smtp"; + bind = "0.0.0.0:993"; + protocol = "imap"; + proxy-protocol = true; + tls = { + certificate = "default"; + implicit = true; + enable = true; + }; }; "pop3s" = { - bind = "[::]:995"; + bind = "0.0.0.0:995"; protocol = "pop3"; + proxy-protocol = true; + tls = { + certificate = "default"; + implicit = true; + enable = true; + }; }; "sieve" = { - bind = "[::]:4190"; + bind = "0.0.0.0:4190"; + proxy-protocol = true; protocol = "managesieve"; }; "management" = { protocol = "http"; bind = [ - "127.0.0.1:8980" + "0.0.0.0:8980" ]; }; }; @@ -102,18 +133,54 @@ _: { }; store = { - # nope - # i'm not redacting my main config - # here to show it here - # refer to stalwart mail - # ty + "postgresql" = { + type = "postgresql"; + host = "localhost"; + timeout = "15s"; + + tls = { + enable = false; + allow-invalid-certs = false; + }; + + pool = { + max-connections = 10; + }; + }; + + "redis" = { + type = "redis"; + redis-type = "single"; + urls = ''redis+unix:///run/redis-stalwart/redis.sock?password=${config.services."stalwart".settings.requirePass}''; + timeout = "180s"; + }; + }; + + oauth = { + "zitadel" = { + type = "oidc"; + issuer = "http://zitadel.hand7s.org:8443/.well-known/openid-configuration"; + tls-allow-invalid-certs = true; + }; + }; + + directory = { + "zitadel" = { + type = "oidc"; + timeout = "1s"; + issuer = "http://zitadel.hand7s.org:8443/.well-known/openid-configuration"; + tls-allow-invalid-certs = true; + }; }; authentication = { - fallback-admin = { - user = "admin"; - secret = "admin"; - }; + directories = [ + "zitadel" + ]; + + oauth = [ + "zitadel" + ]; }; tracer = { @@ -123,6 +190,14 @@ _: { level = "debug"; }; + otlp = { + enable = true; + type = "open-telemetry"; + endpoint = "http://127.0.0.1:4317"; + transport = "grpc"; + level = "info"; + }; + console = { enable = true; type = "console"; diff --git a/viola/services/sws.nix b/viola/services/sws.nix new file mode 100644 index 0000000..99d75cd --- /dev/null +++ b/viola/services/sws.nix @@ -0,0 +1,9 @@ +_: { + services = { + static-web-server = { + enable = true; + listen = "0.0.0.0:8180"; + root = "/home/hand7s/site"; + }; + }; +} diff --git a/viola/services/tempo.nix b/viola/services/tempo.nix new file mode 100644 index 0000000..6ebd89b --- /dev/null +++ b/viola/services/tempo.nix @@ -0,0 +1,90 @@ +_: { + services = { + tempo = { + enable = true; + + settings = { + server = { + http_listen_port = 3200; + grpc_listen_port = 9096; + }; + + distributor = { + receivers = { + otlp = { + protocols = { + grpc = { + endpoint = "0.0.0.0:4317"; + }; + + http = { + endpoint = "0.0.0.0:4318"; + }; + }; + }; + }; + }; + + ingester = { + lifecycler = { + ring = { + replication_factor = 1; + }; + }; + }; + + storage = { + trace = { + backend = "local"; + local = { + path = "/var/lib/tempo/blocks"; + }; + + block = { + version = "vParquet4"; + }; + + wal = { + path = "/var/lib/tempo/wal"; + }; + }; + }; + + compactor = { + compaction = { + block_retention = "720h"; + }; + }; + + metrics_generator = { + registry = { + external_labels = { + source = "tempo"; + }; + }; + + storage = { + path = "/var/lib/tempo/generator"; + remote_write = [ + { + url = "http://127.0.0.1:9009/api/v1/push"; + } + ]; + }; + }; + + overrides = { + defaults = { + metrics_generator = { + processors = [ + "service-graphs" + "span-metrics" + "local-blocks" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/viola/services/traefik.nix b/viola/services/traefik.nix new file mode 100644 index 0000000..0350407 --- /dev/null +++ b/viola/services/traefik.nix @@ -0,0 +1,197 @@ +{config, ...}: { + services = { + traefik = { + enable = true; + + environmentFiles = [ + config.sops.templates."traefik.env".path + ]; + + dynamicConfigOptions = { + http = { + routers = { + "home" = { + rule = "Host(`home.hand7s.org`)"; + service = "home-svc"; + tls = { + certResolver = "cloudflare"; + domains = [ + { + main = "hand7s.org"; + sans = "*.hand7s.org"; + } + ]; + }; + + entryPoints = [ + "websecure" + ]; + }; + + "pass" = { + rule = "Host(`pass.hand7s.org`)"; + service = "pass-svc"; + tls = { + certResolver = "cloudflare"; + domains = [ + { + main = "hand7s.org"; + sans = "*.hand7s.org"; + } + ]; + }; + + entryPoints = [ + "websecure" + ]; + }; + + "luci" = { + rule = "Host(`luci.hand7s.org`)"; + service = "luci-svc"; + tls = { + certResolver = "cloudflare"; + domains = [ + { + main = "hand7s.org"; + sans = "*.hand7s.org"; + } + ]; + }; + + entryPoints = [ + "websecure" + ]; + }; + + "sync" = { + rule = "Host(`sync.hand7s.org`)"; + service = "sync-svc"; + tls = { + certResolver = "cloudflare"; + domains = [ + { + main = "hand7s.org"; + sans = "*.hand7s.org"; + } + ]; + }; + }; + + entryPoints = [ + "websecure" + ]; + }; + + services = { + "home-svc" = { + loadBalancer = { + servers = [ + { + url = "http://127.0.0.1:8080"; + } + ]; + }; + }; + + "pass-svc" = { + loadBalancer = { + servers = [ + { + url = "http://127.0.0.1:53353"; + } + ]; + }; + }; + + "sync-svc" = { + loadBalancer = { + servers = [ + { + url = "http://127.0.0.1:80"; + } + ]; + }; + }; + + "luci-svc" = { + loadBalancer = { + servers = [ + { + url = "http://192.168.1.2"; + } + ]; + }; + }; + }; + }; + }; + + staticConfigOptions = { + api = { + dashboard = true; + }; + + tracing = { + otlp = { + grpc = { + endpoint = "127.0.0.1:4317"; + insecure = true; + }; + }; + }; + + certificatesResolvers = { + "cloudflare" = { + acme = { + email = "litvinovb0@gmail.com"; + storage = "${config.services.traefik.dataDir}/acme.json"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = [ + "1.1.1.1:53" + "8.8.8.8:53" + ]; + }; + }; + }; + }; + + log = { + level = "INFO"; + }; + + entryPoints = { + "web" = { + address = ":80"; + http = { + redirections = { + entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + }; + }; + + "websecure" = { + address = ":443"; + http = { + tls = { + certResolver = "cloudflare"; + domains = [ + { + main = "hand7s.org"; + sans = [ + "*.hand7s.org" + ]; + } + ]; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/viola/services/vaultwarden.nix b/viola/services/vaultwarden.nix deleted file mode 100644 index cddc3d6..0000000 --- a/viola/services/vaultwarden.nix +++ /dev/null @@ -1,12 +0,0 @@ -_: { - services = { - vaultwarden = { - enable = true; - dbBackend = "postgresql"; - config = { - # holy private thing - # im NOT sharing it here - }; - }; - }; -} diff --git a/viola/services/woodpecker.nix b/viola/services/woodpecker.nix index c3fe436..2bfde39 100644 --- a/viola/services/woodpecker.nix +++ b/viola/services/woodpecker.nix @@ -1,19 +1,40 @@ -_: { +{lib, ...}: { services = { woodpecker-server = { - enable = false; + enable = true; environment = { - WOODPECKER_OPEN = "true"; + WOODPECKER_OPEN = toString true; + WOODPECKER_ADMINS = "s0me1newithhand7s"; WOODPECKER_DATABASE_DRIVER = "postgres"; - WOODPECKER_DATABASE_DATASOURCE = "${pqsql_socket}"; - WOODPECKER_SERVER_ADDR = "${ciport1}"; - WOODPECKER_GRPC_ADDR = "${ciport1}"; - WOODPECKER_HOST = "https://cicd.hand7s.org"; + WOODPECKER_SERVER_ADDR = ":53351"; + WOODPECKER_GRPC_ADDR = ":53352"; + WOODPECKER_HOST = "https://woodpecker.hand7s.org"; - WOODPECKER_FORGEJO = "true"; + WOODPECKER_AGENT_SECRET = lib.hashString "md5" "woodpeckerAgent"; + + WOODPECKER_FORGEJO = toString true; WOODPECKER_FORGEJO_URL = "https://git.hand7s.org"; - WOODPECKER_FORGEJO_CLIENT = "${cisecret1}"; - FORGEJO_SECRET = "${cisecret2}"; + WOODPECKER_FORGEJO_CLIENT = lib.hashString "md5" "replaceme1"; + WOODPECKER_FORGEJO_SECRET = lib.hashString "md5" "replaceme2"; + }; + }; + + woodpecker-agents = { + agents = { + "podman" = { + enable = true; + extraGroups = [ + "podman" + ]; + + environment = { + WOODPECKER_AGENT_SECRET = lib.hashString "md5" "woodpeckerAgent"; + WOODPECKER_SERVER = "localhost:53352"; + WOODPECKER_MAX_WORKFLOWS = "4"; + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:///var/run/podman/podman.sock"; + }; + }; }; }; }; diff --git a/viola/services/zitadel.nix b/viola/services/zitadel.nix index 9b1b65a..1c7566d 100644 --- a/viola/services/zitadel.nix +++ b/viola/services/zitadel.nix @@ -3,7 +3,6 @@ zitadel = { enable = true; tlsMode = "external"; - masterKeyFile = config.sops.secrets.zitadelMasterKey; steps = { FirstInstance = { @@ -24,7 +23,7 @@ PreferredLanguage = "en"; Email = { - Address = "me@hand7s.org"; + Address = "admin@hand7s.org"; Verified = true; }; }; @@ -38,8 +37,17 @@ ExternalDomain = "zitadel.hand7s.org"; ExternalSecure = true; + Machine = { + MachineID = { + Type = "static"; + Static = { + MachineID = 1; + }; + }; + }; + Log = { - Level = "debug"; + Level = "info"; }; Telemetry = { @@ -48,15 +56,7 @@ Database = { postgres = { - Host = "${dbhost}"; - Port = "${dbport}"; - Database = "zitadel"; - User = { - Username = "zitadel"; - SSL = { - Mode = "disable"; - }; - }; + Host = "localhost"; }; }; @@ -64,8 +64,8 @@ Connectors = { Redis = { Enabled = true; - Addr = "${cahceaddress}"; - Password = "${cahcepass}"; + Addr = "localhost:6383"; + Password = config.services.stalwart-mail.settings.requirePass; PoolSize = "900"; PoolTimeout = "1800s"; }; diff --git a/viola/systemd/tmpfiles/rules.nix b/viola/systemd/tmpfiles/rules.nix new file mode 100644 index 0000000..a9a94f5 --- /dev/null +++ b/viola/systemd/tmpfiles/rules.nix @@ -0,0 +1,9 @@ +_: { + systemd = { + tmpfiles = { + rules = [ + # chaos + ]; + }; + }; +} diff --git a/viola/users/users/hand7s.nix b/viola/users/users/hand7s.nix index 141b5a3..c80bf46 100644 --- a/viola/users/users/hand7s.nix +++ b/viola/users/users/hand7s.nix @@ -8,8 +8,17 @@ _: { initialHashedPassword = "$6$ckgRhNWmJgSwOUpJ$kfeAdokd5fa76HWbTmWN2YXx4M/PQVOTJku1ODbqbBhEkUFiLftdaJFRnNXfIM3Jtz0ShoRMSVCB7mDkxDrdi/"; extraGroups = [ "wheel" + "networkmanager" "docker" ]; + + openssh = { + authorizedKeys = { + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDp2IIdR5jV1HyG4aiRX7SfTNrXDhCx5rTiFU40qkOKq litvinovb0@gmail.com" + ]; + }; + }; }; }; }; diff --git a/viola/virtualisation/docker.nix b/viola/virtualisation/docker.nix index 805ac30..b5b81d7 100644 --- a/viola/virtualisation/docker.nix +++ b/viola/virtualisation/docker.nix @@ -1,9 +1,11 @@ _: { virtualisation = { - docker = { + podman = { enable = true; - rootless = { - enable = true; + defaultNetwork = { + settings = { + dns_enabled = true; + }; }; }; };